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Abstract 

In  this  paper  we  discuss  the  problem  of  finding  nontrivial  solutions  to  the  Cubic  Sieve  Congruence  problem,  that  is, 
solutions  of  x 3  =  y2z  (mod  p),  where  x,y,z  <  p 5  and  x3  ^  y2z.  The  solutions  to  this  problem  are  useful  in 
solving  the  Discrete  Log  Problem  or  factorization  by  index  calculus  method.  Apart  from  the  cryptographic  interest, 
this  problem  is  motivating  by  itself  from  a  number  theoretic  point  of  view.  Though  we  could  not  solve  the  problem 
completely,  we  could  identify  certain  sub  classes  of  primes  where  the  problem  can  be  solved  in  time  polynomial  in 
logp.  Further  we  could  extend  the  idea  of  Reyneri’s  sieve  and  identify  some  cases  in  it  where  the  problem  can  even 
be  solved  in  constant  time.  Designers  of  cryptosystems  should  avoid  all  primes  contained  in  our  detected  cases. 
Keywords:  Cubic  Sieve  Congruence,  Discrete  Log  Problem,  Prime  Numbers. 

Resumen 

En  este  arttculo  se  discute  el  problema  de  como  encontrar  soluciones  no  triviales  al  problema  de  congruencia  de 
la  criba  cubica,  esto  es,  soluciones  a  la  ecuacion:  x3  =  y2z  (mod  p),  donde  x,y,  z  <  p?  yi3  ^  y2z.  Las 
soluciones  a  este  problema  resultan  utiles  para  resolver  el  problema  del  logaritmo  discreto  o  el  de  factorization 
entera  cuando  se  utiliza  el  metodo  de  index  calculus.  Ademas  del  evidente  interes  criptografico,  este  problema 
tiene  tambien  relevancia  desde  el  punto  de  vista  de  la  teorfa  elemental  de  numeros.  Aunque  no  logramos  resolver 
totalmente  el  problema,  st  pudimos  identificar  ciertas  subclases  de  primos  donde  el  problema  puede  ser  resuelto  en 
tiempo  polinomial  en  logp.  Asimismo,  extendimos  la  idea  de  cribado  de  Reyneri  e  identificamos  algunas  clases 
en  donde  el  problema  puede  ser  resuelto  en  tiempo  constante.  Los  disenadores  de  cripto-esquemas  deben  evitar 
utilizar  cualquiera  de  los  primos  contenidos  en  los  casos  aqut  detectados. 

Palabras  Claves:  Congruencia  de  criba  cubica,  problema  del  logaritmo  discreto,  numeros  primos. 


1  Introduction 

Index  calculus  method  (Menezes  and  Oorschot  and  Vanstone  1997;  Coppersmith,  Odlyzko  and  Schroeppel  1986;  Das 
1999;  Das  and  Madhavan  2005)  appears  to  be  applicable  in  solving  the  Discrete  Log  Problem  (DLP)  (Menezes  and 
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Oorschot  and  Vanstone  1997).  One  variant  of  this  is  the  cubic  sieve  method  (Coppersmith,  Odlyzko  and  Schroeppel 
1986;  Lenstra  and  Lenstra  1990;  Das  1999;  Das  and  Madhavan  2005).  In  the  cubic  sieve  method,  one  needs  a  ‘known’ 
solution  (in  positive  integers)  of  the  Diophantine  equation 

x 3  =  y2z  mod  p, 

such  that  x3  ^  y2z  with  x,  y,  z  of  order  pa  for  some  \  <  ot  <  \,  where  p  is  a  prime  number.  We  call  this  the  Cubic 
Sieve  Congruence  (CSC)  problem  and  x.  y,  z  will  be  called  a  solution  of  CSC.  We  refer  to  (Das  1999,  Section  3.2.3) 
for  the  logic  behind  the  suggested  range  of  a  towards  the  solution  of  discrete  log  problem. 

Though  the  problem  was  first  presented  back  in  mid  eighties  (Coppersmith,  Odlyzko  and  Schroeppel  1986),  to  the 
best  of  our  knowledge  the  next  serious  attempt  to  the  problem  was  made  in  (Das  1999,  Chapter  5)  where  heuristic 
estimates  about  the  density  of  the  solutions  were  studied  in  great  details.  We  briefly  present  the  results  of  (Das  1999, 
Chapter  5)  in  Section  2  with  some  more  experimental  evidence  to  support  the  conjectured  claims  of  (Das  1999). 
However,  no  effort  has  yet  been  made  to  design  a  nontrivial  algorithm  for  this  problem  and  we  attempt  some  solutions 
in  Sections  3,  4.  It  has  been  stated  in  (Coppersmith,  Odlyzko  and  Schroeppel  1986)  that  “We  don’t  see  any  easy  way 
to  find  such  a  triple  in  general”  and  in  (Das  1999)  that  “in  spite  of  all  these  theoretical  and  experimental  exercises,  the 
question  of  existence  or  otherwise  a  solution  of  the  CSC  for  some  |  <  a  <  ^  continues  to  remain  unanswered”. 

It  is  well  known  that  the  “Number  Field  Sieve”  (see  (Lenstra  and  Lenstra  1993;  Pomerance  1996))  is  faster  than  the 
cubic  sieve  among  index  calculus  type  methods  used  in  solving  DLP.  Let  Lp[v,  c]  =  exp((c+o(l))(logp)'u(log  logp)1_'u). 
It  is  worth  mentioning  that  once  a  solution  of  the  cubic  sieve  is  known,  the  running  time  of  the  cubic  sieve  discrete 
logarithm  and  factorization  algorithm  in  GF(p)  is  Lv\\/ 2/3, 1/2]  =  exp((0.816  . .  ,+o(l))(logp  log  log p)1/2)  (Cop¬ 
persmith,  Odlyzko  and  Schroeppel  1986).  This  could  be  potentially  better  than  the  Number  Field  Sieve,  which  has  a 
running  time  of  Lp{\  .923  . . . ,  1/3].  Thus  it  is  important  to  answer  where  exactly  the  contribution  of  this  work  stands 
from  a  cryptographic  point  of  view.  We  find  polynomial  and  constant  time  algorithms  (input  size  log  p,  when  p  is  the 
prime)  to  solve  the  CSC  problem  for  different  subclasses  of  primes.  Though  these  subclasses  are  very  small  compared 
to  the  complete  set  of  primes,  the  primes  in  these  subclasses  should  not  be  chosen  for  any  secure  cryptosystem  which 
is  based  on  hardness  of  DLP  as  easy  solution  of  CSC  presents  a  potential  weakness. 

Further,  this  problem  is  interesting  in  itself  from  a  number  theoretic  point  of  view.  An  easy  attempt  to  solve  CSC 
is  to  choose  x,  y  <  p~  at  random  and  then  check  whether  z  <  p?  too.  As  it  will  be  clearer  later  in  this  paper,  this 
random  attempt  is  not  going  to  succeed  at  all.  Thus  one  needs  to  consider  carefully  designed  methods  to  attack  this 
problem. 

We  study  this  problem  in  parametric  form  x  =  v2z  %p  and  y  =  v3z  %p.  By  a  %b  we  mean  the  remainder  when 

the  integer  a  is  divided  by  the  integer  b  (the  operator  %p  is  always  applied  to  the  preceding  expression,  so  v2z%p 

means  (y2z)  %p ).  In  Section  3,  we  show  that  it  is  possible  to  find  a  solution  in  time  polynomial  in  logp  (we  denote 

this  by  'P(logp))  if  there  exists  a  suitable  v  >  p°-25  having  a  value  p025  +  0(V(\ogp)).  We  show  that  this  happens 
1 

for  approximately  jp^jr  many  primes  p  <  N.  In  Section  4  we  extend  the  idea  of  Reyneri’s  sieve  and  present  precise 
solutions  for  CSC  when  the  prime  p  satisfies  n3  <  Ip  <  M  <  lp+pe,  where  M  =  n2(n  +  i),i  =  1,  2,  3  or  (n  +  l)3, 

i  i 

0  <  l  <  p°-5~3e  —  pe_1  and  0  <  e  <  This  idea  works  for  approximately  ^]=2  llofj  many  primes  p  <  N.  The 
ideas  used  in  this  paper  seem  to  be  extendable  for  larger  subclasses  of  primes  and  we  are  currently  working  in  that 
direction. 

2  Existing  Results 

We  begin  by  introducing  some  notations  as  in  (Das  1999).  Fix  a  prime  number  p.  Let 

•  S  =  { (x,  y,  z)  |  x3  =  y2z  mod  p,  1  <  x,  y,  z  <  p} 

•  S=  =  {{x ,y,z)  |  (x,y,z)  G  S  and  a;3  =  y2z} 


•  S^  =  {(&,  y,  z)  I  (x,  y,z)  e  S  and  x3  ±  y2z} 

•  Sa  =  {(x,y,z)  G  |  1  <  x,y,z  <  pa} 

Throughout  this  paper,  we  use  the  Vinogradov  symbols  S>,  <C  and  the  Landau  symbols  O,  0  and  o  with  their  usual 
meanings  (see  also  (Das  1999;  Coppersmith,  Odlyzko  and  Schroeppel  1986;  Menezes  and  Oorschot  and  Vanstone 
1997)  for  details).  We  recall  that  B  A  and  A  =  O { B )  are  all  equivalent  and  mean  that  .4  <  c\B\  holds 

with  some  constant  c,  while  A  =  0(B)  means  that  both  ,4  <C  B  and  11  -4  hold.  For  a  positive  real  number  x  we 
write  log  x  for  the  maximum  between  1  and  the  natural  logarithm  of  x.  We  let  [.rj  be  the  largest  integer  <  x,  and  let 
{x}  =  x  —  [x\  be  the  fractional  part  of  x  >  0. 

It  is  clear  that  the  CSC  problem  (see  also  (Das  1999,  Chapter  5)),  ignoring  the  bounds  on  x,  y,z,  has  exactly 
(p  —  l)2  number  of  solutions,  since  one  can  choose  any  x,  y  from  [1  ,p—  1]  and  immediately  z  will  be  obtained.  Thus, 
#S  =  (p  —  l)2  =  0(p2)-  Further  it  has  been  presented  in  (Das  1999,  Chapter  5))  that  #S=  <  |(p  —  1)  ln(p  —  1)  + 
(37  —  §)(p  —  1)  +  0(y/p)  =  0(plnp),  and  #S=  >  \p  +  0(pi),  that  is,  #S=  =  f 2(p). 

Here  7  is  the  Euler’s  constant  defined  as  7  =  lim„^0O(l  +  5  +  •  ■  ■  +  7  —  ln(n))  =  0.57721566  . . ..  Since  S 
is  the  disjoint  union  of  S-  and  S^t,  from  above  one  gets,  >  (p  —  l)2  —  |(p  —  1)  ln(p  —  1)  +  0(p ),  and  so, 

#5^  <  (p  —  l)2  —  | p  +  0(pi).  In  particular,  #5^  =  0(p2). 

We  are  more  interested  in  the  value  of  A=Sa,  which  is  estimated  by  the  following  conjecture  in  (Das  1999,  Chapter 

5). 

Conjecture  1  The  expected  cardinality  of  Sa  is  asymptotically  equal  to  XP3a  l  for  all  0  <  a  <  1  and  for  some 
constant  \  ~  1- 


Table  1.  Primes  4268002919  (left)  and  4213586771  (middle)  and  average  values  over  50  primes  of  30-bit  length  (right) 


a 

#  sol 

ifSSI 

I2IBI 

0.34 

0 

0 

1 

0.35 

0 

2 

3 

0.36 

2 

3 

5 

0.37 

6 

7 

11 

0.38 

16 

14 

22 

0.39 

27 

28 

43 

0.40 

69 

56 

84 

0.41 

154 

109 

164 

0.42 

283 

212 

319 

0.43 

573 

413 

620 

0.44 

1135 

804 

1206 

0.45 

2223 

1564 

2347 

0.46 

4407 

3043 

4565 

0.47 

8639 

5919 

8879 

0.48 

16910 

11513 

17270 

0.49 

33179 

22392 

33589 

0.50 

65137 

43552 

65329 

a 

#  sol 

warn* 

EIBI 

0.34 

0 

0 

1 

0.35 

2 

2 

3 

0.36 

4 

3 

5 

0.37 

5 

7 

11 

0.38 

13 

14 

22 

0.39 

27 

28 

43 

0.40 

54 

56 

84 

0.41 

126 

108 

163 

0.42 

257 

211 

317 

0.43 

547 

412 

618 

0.44 

1080 

800 

1201 

0.45 

2150 

1557 

2336 

0.46 

4235 

3028 

4543 

0.47 

8300 

5888 

8832 

0.48 

16427 

11448 

17172 

0.49 

32244 

22258 

33387 

0.50 

63262 

43274 

64911 

a 

Mean 

Std.Dev 

0.34 

0.2800000 

0.6074369 

0.35 

0.4400000 

0.5115004 

0.36 

0.5340000 

0.4082616 

0.37 

0.6622222 

0.4120630 

0.38 

0.7054902 

0.3139408 

0.39 

0.7988400 

0.2547877 

0.40 

0.8296789 

0.1910907 

0.41 

0.8618105 

0.1410821 

0.42 

0.8903438 

0.1060304 

0.43 

0.9261365 

0.0804415 

0.44 

0.9389463 

0.0643277 

0.45 

0.9533673 

0.0441644 

0.46 

0.9686826 

0.0338940 

0.47 

0.9745897 

0.0261893 

0.48 

0.9799228 

0.0207219 

0.49 

0.9840180 

0.0138331 

0.50 

0.9883767 

0.0111183 

The  conjecture  is  certainly  believable,  since  if  x,  y  are  selected  at  random,  then  the  probability  that  2  =  x3  / z2  < 
pa  is  expected  to  be  pa/p  and  so  the  size  of  Sa  is  about  p3a~l .  We  also  make  a  good  number  of  experimental 
verifications  with  various  sizes  of  primes  ranging  from  15  bits  to  32  bits  to  support  the  above  conjecture.  In  (Das 


1999,  Chapter  5),  experimental  results  have  been  tabulated  for  the  primes  32263723  (25  bits)  and  1034302223  (30 
bits).  We  tabulate  in  Table  1  experimental  results  for  two  32-bit  primes.  In  this  first  column  we  give  the  values  of  a. 
Second  column  contains  the  number  of  solutions  with  x,y,z  <  pa.  Third  column  contains  the  value  of  L§P3a-1J 
and  fourth  column  contains  the  value  of  ~  [  \ .  These  results  indicate  that  as  a  increases,  the  number  of  solutions 
get  closer  to  p3a_1  and  also  for  sufficiently  large  a  depending  on  the  size  of  prime  (in  case  of  32-bit  primes  this  a  is 
0.41),  L|p3a_1J  gives  a  lower  bound  to  the  number  of  solutions. 

To  continue  our  verification,  we  calculate  Number  of^solutions  <p  por  a  rangjng  f10m  0.34  to  0.50  for  fifty 
randomly  chosen  primes  of  30  bits.  Then  in  Table  1  (rightmost)  we  have  tabulated  information  as  a  in  first  column, 
the  mean  of  fifty  fractions  for  that  a  in  second  column.  In  the  last  column  the  standard  deviation  of  the  same  values  is 
given.  Results  here  indicate  that  as  a  is  increasing  to  0.50,  the  mean  is  getting  closer  to  1.0  and  standard  deviation  is 
getting  closer  to  0.0.  This  justifies  Conjecture  1  further. 

In  (Coppersmith,  Odlyzko  and  Schroeppel  1986,  Page  13)  it  was  noted  that  Reyneri’s  sieve  applied  to  p  =  x3  —  z, 
with  2  small  generates  an  easy  solution  having  y  —  1.  So  the  idea  is  to  take  x  =  \ tfp\,  that  is,  the  minimum  x  such 
that  x3  >  p.  If  x3  —  p  <  p0'5,  then  put  z  =  x3  —  p  and  y  =  1.  This  gives  a  solution  with  x,  y,z  <  p0'5.  However, 
getting  such  a  solution  is  not  possible  in  general.  It  may  very  well  happen  that  the  first  x  for  which  x3  >  p  is  such 
that  x3  —  p  >  p0  5.  As  example,  take  p  =  125000003.  In  that  case,  the  first  x  such  that  x3  >  p  is  x  =  501.  So 
x3  —  p  =  125751501  —  125000003  =  751498  >  pa  and  we  can  not  get  a  solution  according  to  our  need,  as  for  y  =  1, 
z  =  x3  —  p  >  p0  5.  However,  we  note  that  there  are  many  solutions  with  the  constraint  x,  y,z  <  p0  5  for  this  prime 
and  one  such  example  is  x  =  56,  y  =  605,  2  =  1025. 

A  simple  algorithm  to  find  a  solution  for  any  prime  is  as  follows. 

Algorithm  1 

1.  for  x  =  1  to  pa,  x  =  x  +  1  { 

2.  for  y  =  1  to  p  ,  y  =  y  +  1  { 

3.  calculate  0  <  y\  <  p,  such  that  yy\  =  1  mod  p; 

4.  calculate  2  =  x3y2  %p; 

5.  if  2  <  p05  output  solution  ( x ,  p,  2); 

6.  } 

7-  } _ 

Note  that,  by  the  previous  analysis,  it  is  clear  that  if  we  take  a  =  b  =  0.35,  then  it  is  expected  to  get  a  solution  with 
x,y,  z  <  p035  for  any  large  prime  p.  Further,  step  3  of  Algorithm  1  needs  (9 (log  p)  time.  Thus,  the  overall  complexity 
becomes  0(p°'‘  logp).  On  the  other  hand,  we  have  also  experimentally  observed  that  it  is  possible  to  get  a  solution 
with  y  <  p0  5  when  is  very  small  compared  to  the  large  prime  p.  Considering  this  assumption  and  then  letting 
a  =  e,  a  very  small  quantity  and  b  =  0.5,  it  is  expected  to  get  a  solution  where  x,y,z  <  p°  '5  with  time  complexity 
O(p0  5+e  logp).  However,  given  a  very  large  p,  this  algorithm  is  not  a  practical  one. 

3  Parametric  form  for  CSC 

To  have  a  better  understanding  of  the  problem,  we  express  it  in  parametric  form.  We  rewrite  the  congruence  in  the 
form  (-)  =  -  (mod  p).  That  suggests  the  parametrization 

x  =  v2z  %p  and  y  =  v3z  %p  (1) 

Note  that  in  this  parametric  form  the  sets  S,  ,S'g ,  Sa  (as  defined  in  the  previous  section)  can  be  rewritten  as 

•  S  =  { (x,  y,  z)  |  x  =  v2z  %p ,  y  =  v3z  %p,  1  <  x,y,  z,v  <  p}. 


•  S^l  =  {(x,  y,  z)  |  x  =  v2z  %p,  y  =  v3z  %p,  1  <  x,  y,  z,  v  <  p,  x3  7^  y2z}, 

•  Sa  =  {(x,  y,z)  |  x  =  x22:  %p,  y  =  v3z  %p,  1  <  x,y,z  <  pa ,  1  <  v  <  p,  x3  ^  y2z}. 

However,  the  condition  x3  /  y2x  in  CSC  needs  to  be  tackled  carefully  in  this  parametric  form.  First  we  present  a 
technical  result. 

Proposition  1  If(x,y,z)  €  So. 5  satisfy  (1),  then  v  >  p0'25. 

Proof  :  Let  v  <  p0  25.  Then  x  =  v2z%p  =  v2z  since  v2z  <  p2(°-25)+0-5  =  p  as  z  <  p05.  Also  y  =  vx%p  =  vx, 

since  x  <  p°'5  and  v  <  p0,25.  Thus  x3  =  y2z  which  violates  the  requirement  x3  7^  y2z. 

In  the  rest  of  the  paper,  we  consider  the  specific  constraint  p0,25  <  v  <  p°-5.  Further  we  need  solutions  of  the 
form  x,y,z  <  p0  5.  Under  these  constraints,  x3  ^  y2z  in  CSC  is  equivalent  to  x  ^  v2z  (see  Proposition  2  below). 
This  serves  our  purpose,  since  as  presented  in  Proposition  1,  we  have  v  >  p0  25  for  any  solution  with  x,y,z  <  p0  5 
and  further  we  concentrate  on  the  cases  when  v  <  p0  5  too. 

Proposition  2  Let  p0  25  <  v  <  p0'5, 1  <  x,y,z  <  p°'5.  Then  the  condition  x3  7^  y2z  is  equivalent  to  x  ^  v2z. 

Proof  :  Suppose  x,  y,z  is  a  solution  for  CSC  such  that  v  <  p0  5  and  x3  7^  y2z.  Since,  x,  v  <  p0  5,  so  y  =  vx  <  p. 

Assume  that  x  =  v2z  =  ^ z.  This  implies  that  x3  =  y2z  which  is  a  contradiction  to  x3  7^  y2z.  Thus  we  get  x  7^  v2z. 

Conversely,  let  x,y,z,v  be  a  solution  to  the  system  x  =  v2z  mod  p,y  =  vx  modp,  x  7^  v2z,  with  p0-25  < 
v  <  p0'5, 1  <  x,y,z  <  p0  5.  Then  y  =  vx  and  x  =  v2z  +  Ip,  with  /  7^  0.  So,  x  =  +  Ip,  which  implies 

x3  =  y2z  +  ( lx2)p ,  that  is,  x3  =  y2z  mod  p,  but  x3  7^  y2z. 

Thus,  to  find  a  solution  for  the  CSC  problem  it  suffices  to  find  a  solution  to 

x  =  v2z  mod  p,y  =  vx  mod  p,  where  p0'25  <  v  <  p0  5,  x  7^  v2z,  1  <  x,  y,  z  <  pi .  (2) 

It  is  clear  that  the  set  of  these  solutions  is  a  subset  of  So. 5.  Further  it  should  be  noted  that  for  these  solutions,  y  is  an 
exact  integral  multiple  of  x. 

Definition  1  We  call  a  solution  x,  y,  z  of  CSC  as  given  in  equation  (2)  a  valid  solution. 

Henceforth,  we  write  v  =  ps  and  z  =  p@  for  <5,  0  real. 

Conjecture  1  claims  that  there  are  approximately  xp3“_1  many  solutions  (%  ss  1)  where  x,y,z  <  pa.  For  a  =  0.5, 
the  number  of  solutions  is  approximately  p°  5 .  We  randomly  took  25  primes  of  length  30-bit  and  checked  that  for  these 
solutions,  when  turned  to  parametric  domain,  the  cases  when  v  <  p0'5  is  extremely  low.  The  number  of  solutions  for 
30-bit  primes  is  approximately  215.  However,  in  Table  2  we  observe  that  the  number  of  solutions  having  v  <  p0'5  is 
extremely  low  compared  to  215.  In  the  most  favorable  result,  we  get  19  solutions  only  for  the  prime  759828683.  Also 
it  should  be  noted  that  there  are  cases  when  there  is  no  solution  with  v  <  p0'5  as  happened  for  the  prime  741799451 
(note  that  x3  +  p  has  the  required  form,  for  x  =  731,  929, 3034,  6039,  however,  y/x  is  not  an  integer).  Thus  there  are 
very  few  solutions,  which,  in  the  parametric  form,  give  x,  y,  z,v  <  p0'5.  Still  we  attempt  to  find  those  solutions  here  as 
the  range  in  which  we  need  to  vary  v  is  much  smaller  than  0(p)  and  show  that  the  analysis  produces  favorable  results 
in  certain  cases. 

Lemma  1  For  any  valid  solution  of  CSC,  ifv  =  ps  <  p0  5  then  x  <  pa-5~s  <  p0-25. 

Proof :  Since  5  <  0.5  and  for  a  valid  solution  x  <  p°'5,  the  congruence  y  =  vx  mod  p  is  an  equality,  that  is,  y  =  vx. 
From  this  we  have  vx  <  p0'5,  therefore  x  <  - —  =  p0  5~s .  From  Proposition  1,  S  >  0.25,  hence  the  result. 


Table  2.  Number  of  solutions  with  x,  y .  z  <  p05  and  v  <  jf 


s 

Primes 

0  <  5  <  .3 

.3  <  <5  <  .35 

.35  <  <5  <  .4 

.4  <  $  <  .45 

.45  <  6  <  .5 

895917131 

2 

0 

0 

0 

0 

593554447 

0 

0 

0 

1 

1 

551556059 

0 

0 

2 

0 

0 

774712823 

0 

0 

1 

1 

0 

961344259 

0 

1 

2 

1 

0 

1052502491 

1 

1 

0 

0 

0 

877166131 

0 

1 

0 

1 

0 

669150091 

1 

0 

0 

2 

2 

721235807 

0 

0 

0 

1 

0 

997165739 

1 

0 

0 

0 

0 

777782111 

0 

0 

3 

2 

1 

601873567 

0 

2 

0 

7 

6 

976974643 

0 

1 

1 

0 

0 

561998999 

6 

2 

1 

0 

0 

784308199 

0 

0 

0 

0 

1 

604718867 

1 

1 

0 

0 

0 

920692687 

0 

0 

2 

1 

1 

678600491 

1 

0 

0 

1 

0 

1066913867 

0 

1 

0 

1 

0 

741799451 

0 

0 

0 

0 

0 

1014893507 

3 

0 

4 

1 

0 

678813823 

3 

1 

2 

0 

0 

759828683 

0 

0 

14 

4 

1 

548375899 

0 

1 

3 

0 

0 

917289047 

0 

2 

6 

1 

2 

Lemma  2  For  a  fixed  v  =  ps  <  p0,5,  that  is  part  of  a  valid  solution,  we  have  z  >  p1  2S. 

Proof :  From  the  fact  that  p0,25  <  v  <  p0'5,  we  have  p 0  5  <  v2  <  p.  Now,  if  we  assume  that  2  <  p1-2*5,  then  without 
taking  modular  operations  p0,5  <  v2z  =  p2Sz  <  p2<5p1_2'5  =  p.  Therefore  x  =  v2z  can  not  be  less  than  p0  5.  This 
proves  that  2  >  p1-25. 

Putting  together  Proposition  1,  Lemma  1,  2,  we  obtain  the  following  result. 

Theorem  1  Let  there  be  a  valid  solution  (recall  that  x,y,  z  <  p0'5,  in  that  case)  with  p025  <  v  =  ps  <  p0  5.  Then 
x  <  p°-5~s  <  p °-25  and  z  >  p1-2*5. 

In  light  of  the  above  discussion,  let  us  present  the  following  result  which  will  be  used  for  the  algorithms  we  discuss 
next. 

Proposition3  For  some  v,z  such  that  p°  25  <  v  =  ps  <  p0  5  and  p1_2<5  <  2  <  p05,  if  there  exists  an  x  <  p05~s, 
then  y  <  p0  5,  that  is,  we  have  a  valid  solution. 

As  we  have  already  mentioned,  an  important  question  at  this  point  is:  “is  it  guaranteed  that  for  any  prime  p  there 
will  be  a  solution  of  the  form  x,  y,z,v  <  p05?’’  The  answer  is  no,  though  for  almost  all  the  primes  we  have  considered, 
it  is  possible  to  get  such  a  solution.  We  have  some  experimental  results  for  25  primes  in  Table  2  where  there  is  only 
one  prime  741799451  for  which  there  is  no  solution  of  the  form  x,  y,z,v  <  p0  5. 


In  this  section  we  assume  that  the  considered  primes  will  have  solutions  of  the  form  x,  y.  z,  v  <  p05  and  present 
an  algorithm  based  on  that.  The  observation  from  Theorem  1  presents  the  basis  of  the  algorithm  we  propose  now. 
Here  for  each  fixed  v  =  p'5  in  the  range  p025  to  p05,  we  vary  z  in  the  range  p1-25  =  \  to  p0  5  and  compute  x  for 
each  pair  (v,  z).  Once  the  suitable  x  is  found,  with  x  <  p°'5~s,  we  output  the  solution. 

Algorithm  2 

— T.  for  v  =  pu-2b  to  pu'b,  v  =  v  +  1  { 

2.  for  z  =  ^  to  p0-5,  z  =  z  +  1  { 

3.  calculate  x  =  v2z  %p; 

0.5 

4.  if  x  <  2—  output  the  solution  (x,  y  =  vx,  z); 

5.  } 

6.  } 

7.  Output  no  solution  with  x,  y,z,v  <  p0  '5; 


If  there  is  no  solution  x,  y,z,v  <  p0'5,  our  Algorithm  2  fails.  However,  that  is  not  the  case  in  general.  Note  that 
in  the  worst  case,  the  time  complexity  of  Algorithm  2  is  0(p),  which  is  worse  than  the  trivial  Algorithm  1.  However, 
it  should  be  noted  that  Algorithm  2  is  extremely  efficient  when  there  is  a  solution  where  v  is  close  to  p0,25.  Before 
proceeding  further,  let  us  present  some  nontrivial  improvement  over  Algorithm  2. 

From  Theorem  1,  we  can  see  that  for  fixed  v,  smallest  z  that  can  be  considered  is  |"p1_2<5"| .  We  represent  this  as  z\ 
and  also  write  z\  =  p^1  for  some  real  f3\  <  0.5.  For  this  z\,  we  have 

v2zi  =p25+P'  =  p  +  ku  (3) 

for  some  0  <  fci  <  p.  Now  we  have  two  possible  cases: 

Case  1:  ki  <  p0  5~s .  In  this  case  our  problem  is  solved  by  letting  x  =  k  \ .  Because,  from  our  earlier  analysis  we 
know  that  if  v,z  <  p0  '5  and  x  <  p0  5~ s,  then  we  can  have  a  solution  just  by  taking  y  =  vx. 

Case  2:  k\  >  p°-5~s.  In  this  case  we  may  try  for  the  ‘next  suitable’  z  in  increasing  order.  Let  that  be  Z2  =  p^2  of  the 
form  Z2  =  Zi  +  ft-  Also,  we  need  Z2  to  be  such  that 

v2Z2  =  p2<5+/?2  =  2p  +  fc2,  and  v2(z2  —  1)  <  2 p,  (4) 

for  some  0  <  <  p.  This  is  because,  if  we  take  any  other  z'2,  such  that  z\  <  z'2  <  z2,  then  p  +  k ±  <  v2z2  = 

p  +  k2  <  2 p  and  hence  k\  <  k2  <  p.  Thus  if  x  =  k\  is  not  a  valid  solution,  x  =  k2  can  not  be  a  valid  solution,  as 
well.  So  we  consider,  v2Z2  =  2 p  +  k2  which  gives  v2(z\  +  t\)  =  2 p  +  This  gives  us  v2t\  =2 p  +  /c2  —  v2Z\  = 
2 p  +  k2  —  (p  +  ki)  =  (p  —  ki)  +  fc2,  and  so,  t\  =  ^p  k^+k2 .  Since  our  aim  is  to  minimize  k2,  we  can  take 
1 1  =  [  .  Again,  as  above,  we  have  two  cases. 

Case  2a:  k2  <  p°'5~d,  which  leads  to  a  solution. 

Case  2b:  /c2  >  p0  5-*5,  we  can  continue  to  the  next  z,  say  23  =  Z2  +  t2  where  t2  =  f  (-y>~^C2->  ~| . 

We  can  repeat  this  process  until  it  terminates  by  giving  us  a  ‘valid’  solution  or  it  reaches  a  stage  where  zr  >  p0-5 

in  some  rth  cycle.  Then  we  can  restart  with  v  =  v  +  1  till  v  <  p0  5.  Based  on  this  we  present  the  following  algorithm. 


Algorithm  3 


7  Min  —  [pu'25"|; 

II  Max  =  Lp°’5J.' 

III  Start  with  v  =  Min', 

TV  while(i>  <  Max){ 

TVa  z  =  [41; 

TVb  k  =  v^z%p; 

TVc  if(fc<[^J) 

Output  solution  as  (x  =  k,  y  =  kv,  z,  v)  and  terminate; 

ivd  t=  T^l; 

TVe  z  =  z  +  t; 

IVf  While  ( 2  <  Max )  { 

k  —  v2z  %p; 

if  (fc  <  L^J) 

Output  solution  as  (x  =  k,  y  =  kv,  z,  v )  and  terminate; 

z  =  z  +  t; 

} 

TVg  v  =  v  +  1; 

} 

V  Output  no  solution  with  x,y,  z,v  <  |p°'5J ; 


In  Algorithm  3  we  increase  2  by  a  step  of  t  instead  of  1,  as  was  done  in  Algorithm  2.  This  gives  the  improvement. 
However,  as  v  becomes  larger  the  worst  case  complexity  of  Algorithm  3  becomes  0(p),  which  is  again  theoretically 
worse  than  the  trivial  method  described  in  Algorithm  1 .  On  the  other  hand,  it  is  important  to  note  that  Algorithm  3  is 
much  more  efficient  than  Algorithm  1  when  there  is  a  solution  where  v  is  close  to  p025.  We  shall  now  use  Algorithm  3 
for  a  few  arbitrary  primes,  which  are  hard  to  solve  using  Algorithm  1 .  Note  that  the  last  but  one  row  in  Table  3  contains 
a  77-bit  prime  and  the  last  row  contains  a  98-bit  prime.  We  run  Algorithm  3  implemented  using  C  programming 
language  and  GMP  (GNU  Multi  Precision)  facility.  The  operating  system  is  Redhat  Linux  8.0  and  the  machine 
contains  Pentium  IV  processor  with  1  GByte  RAM.  It  took  approximately  20  minutes  to  have  a  solution  for  the  77-bit 
prime  and  5  minutes  for  the  98-bit  one.  If  one  uses  Algorithm  1,  it  seems  very  hard  to  find  solutions  in  these  cases 
with  present  day  machines.  As  in  Table  2,  all  the  primes  presented  in  Table  3  are  selected  at  random.  We  have  chosen 
five  77-bit  primes  and  obtained  a  solution  every  time  within  half  an  hour.  For  98-bit,  we  have  taken  two  randomly 
chosen  primes,  out  of  which  one  is  in  Table  3,  the  other  one  has  not  given  any  solution  in  3  hours. 


Table  3.  Experimental  Results  running  Algorithm  3 


p 

PU'° 

V 

X 

y 

z 

145678132176163 

3475 

12069719 

27009 

17 

459153 

9785284 

145678132176162513743 

109863 

12069719639 

115472 

18609 

2148818448 

10925491628 

23456543676548754325781 

391351 

153155292682 

1440247 

48034 

69180824398 

147005442243 

66666555558888899999267 

508133 

258198674587 

11225651 

16104 

180777883704 

117974951645 

165449093126897423470644536537 

20168152 

406754340022202 

52165306 

5171691 

269782843552446 

303998105265466 

Theorem  2  Assume  that  for  a  prime  p,  there  exists  a  valid  solution  (recall  Definition  1  and  equation  (2))  with  v  = 
Q(p0.25+e)  Then  Algorithm  3  requires  0(p°-25+3e)  time  complexity. 

Proof :  We  assume  p—k  is  Q(p).  If  v  is  0(po  25+e),  then  t  is  O(p0.5o+2e ),  that  is,  0(p°-5O_2e).  So  2  takes  O(p0p50-2e ), 
which  is,  0(p2e)  steps  for  each  v.  Hence  the  total  time  complexity  is  0(pa25+3e). 


From  Table  2,  we  see  that  there  are  solutions  for  6  <  0.3  for  9  primes  out  of  25  and  the  time  complexity  is  O(p0A) 
in  these  cases.  It  should  also  be  noted  that  this  method  is  extremely  effective  when  v  is  @(p°-25). 

Now  let  us  see  under  what  conditions  Algorithm  3  works  in  time  0(V(logp)),  that  is,  in  time  polynomial  in  logp. 
This  directly  follows  from  the  proof  of  Theorem  2. 

Corollary  1  Assume  that  for  a  given  prime  p,  there  is  a  solution  x,y,z  <  p °"5  (as  in  (2))  with  v  =  p °'25  + 
0(V(\ogp)).  Then  Algorithm  3  runs  in  0(V(logp))  time. 

Proof  :  If  v  =  p025  +  0(P(\ogp)),  then  t  is  6((pQ.25^0^(Iogp)))^  )■  Now  z  takes  0(^)  steps,  and  considering 

po°f5p)  is  negligible,  one  can  assume  that  z  takes  constant  number  of  steps  for  each  v.  This  gives  the  proof. 
Algorithm  3  uses  a  suitable  gap  in  z  for  a  fixed  v.  In  a  similar  way  one  can  try  to  work  with  a  suitable  gap  in  v 
for  a  fixed  z.  However,  we  believe  a  much  better  improvement  could  be  achieved  by  finding  a  ‘better’  (vj ,  Z\)  pair  for 
given  (vo,  z o)  pair.  Here  by  ‘better’  we  aim  at  having  k\  <  ko  <  p ,  where  v2Zi  =  l\ p  +  fci  and  WgZo  =  lop  +  fco-  A 
strategy  in  this  direction  may  improve  Algorithm  3  further. 

Now  one  important  question  is  what  proportion  of  primes  will  have  a  solution  as  mentioned  in  Corollary  1 .  This 
is  not  clear  at  this  point  and  needs  further  investigation. 

It  should  be  noted  that  the  primes  in  Table  3  are  selected  at  random.  However,  it  is  possible  to  identify  very  large 
primes  for  which  Algorithm  3  will  give  a  solution  very  fast.  We  first  decide  on  a  bound  for  p,  say  N,  and  then  select 
any  v  of  O(N0-25).  Now  choose  a  prime  p  which  lies  between  (v  —  l)2v2  —  v  +  1  <  p  <  (v  —  l)2u2.  Thus  v  is 
Q(p0.25)  Take  z  =  (u  —  l)2  and  note  that  z  <  p0  5.  It  is  easy  to  see  that  x,  y  <  p0  5. 

As  an  example  we  present  an  160  digit  prime  p  =  176137087374777815393637069 
274127644687309130845043890914502471120716308007100351639864691570824 
4598438342410668233754646248246087265981544014990191518124512839.  Note  that 
|p0-25]  =  6478324567890123456743789213645386564273, 

|p°-5j  =4196868920692875480476482274310255119840085255344263015037 
8557202428461773454255,  v  =  6478324567890123456743789213645386564273, 
x  =  697,  y  =  4515392223819416049350421081910834435298281,  and 
z  =  4 1 96868920692875480476  4822743 1025511 9839437422887474002692 1813413 
214816386889984. 


Proposition  4  Consider  a  prime  p  such  that  (v  —  l)2u2  —  v  +  l<p<(v—  l)2v2.  Then  we  get  a  valid  solution  of 
(2 )forz  =  (v-  l)2. 


Proof :  Since  (v  —  l)4  <  (v  —  l)2v2  —  v  +  1  <  p,  we  get  z  =  (v  —  l)2  <  p0'5.  Now  x  =  v2z  %p  =  v2(v  —  l)2  %p. 
This  gives,  x  <  v  —  2  <  p0  25.  Hence,  y  =  vx  =  v(v  —  2)  <  (v  —  l)2  <  p0  5. 

The  Prime  Number  Theorem  (see  reference  (Menezes  and  Oorschot  and  Vanstone  1997))  states  that  there  are 
approximately  lo^N  many  primes  less  than  or  equal  to  N.  Proposition  4  implies  that,  for  approximately  log^~l\)2^2)  — 


(v-l)2v2-v+l 


iog((t>—  i)2t>2  —v+i)  ~  ~  many  primes  less  than  N,  one  can  get  a  fast  solution  to  CSC  using  Algorithm  3. 

Thus  we  have  the  following  result  from  the  above  discussion  and  Corollary  1 . 


Corollary  2  There  are  approximately  many  primes  p  <  N  for  which  we  get  a  valid  solution  of  CSC  in 

0(V(\ogp))  time  using  Algorithm  3. 


4  Further  extension  with  respect  to  Reyneri’s  sieve 

We  have  already  discussed  an  application  of  Reyneri’s  sieve  to  CSC  in  Section  2.  Here  we  use  an  extension  of  that 
idea  to  get  fast  solutions  of  CSC  for  certain  kind  of  primes. 


Let  p  be  a  given  prime  then  take  n  =  [ps  J .  So,  we  have  n3  <  p  <  (n+1)3.  Now  let  k  =  (n+1)3—  p.  If  k  < 
by  letting  v  =  n  +  1  and  z  =  n  +  1,  we  have  the  required  solution  as  seen  earlier.  One  can  also  consider  the  cases 
when  n3  <  p  <  n2(n  +  i)  for  i  =  1,  2,  3.  Consider  that  some  particular  a2b  satisfies  a2b  >  p  and  k  =  a2b  —  p  < 

Then  we  have  a  solution  by  taking  v  =  a  and  z  =  b.  Now  we  look  into  this  idea  more  carefully. 

Theorem  3  Given  a  prime  p,  assume  that  there  exists  l  and  i  such  that  for  n  =  [v^pj  we  have 
( i )  n3  <  Ip  <  (n  +  l)3  <  Ip  +  pe,  or 

(ii)  n3  <  Ip  <  n2(n  +  i)  <  lp  +  pe,  where  i  =  1,  2,  or  3  and  i  <  p0  5  —  p°'5^e, 
where  0  <  l  <  p°-5~3e  —  p e_1.  Then  there  is  a  valid  solution  of  (2)  with 
( i )  v  =  z  =  n+1, 

(ii)  v  =  n,  z  =  n  +  i, 

respectively.  Further  I  >  0  implies  0  <  e  <  g. 

Proof :  First  we  prove  (i).  Take  v  =  z  =  n  + 1.  Then  Ip  <  v2z  =  (n  +  1)3  <  lp+pe.  Thus,  x  =  v2z  mod  p,  x  <  pe. 
Now  y  =  vx  <  (n  +  1  )pe  <  (\/lp  +  pe)pe  <  (\/(p0'3~3e)p  +  pe)pe  =  ( y/p1'5-3  —  pe  +  pe)pe  =  p°-5~epe  =  p0-5. 
Similarly,  z  =  n  +  1  <  p°'5~e. 

Now  we  prove  (ii).  In  this  case,  n3  <  Ip  <  n2(n  +  i)  <  Ip  +  pe,  i  =  1,  2, 3.  Take  v  =  n,  z  =  n  +  i.  Then  we 

obtain  v2z  =  n2z  =  n2(n  +  i)  <  lp+pe.  Since,  x  =  v2z  mod  p,  x  <  p<L .  Further  y  =  vx  <  npe  <  (Ip  +pe)1^3pe  < 
((p0.5~3e  _  pe~1)p  -|-  pey/3pe  —  (p  1.5-3e  _  pt  pt^l/^p^  =  ^pt-5-3e^l/3pe  _  p0.5-epE  _  p0.5_  Las{ly;  we  hayg 

to  show  that  z  <  p0'5  given  that  z  =  n  +  i.  Since  n3  <  Ip.  we  have  n  <  (Ip)1/3  <  ((p0  5~3e  —  pe^1)p)1/3  = 
(pi-3- 3e  —  p6)1/3  <  p°-5~e.  So,  n  +  i  <  p°-5~e  +  i  <  p0-5,  if  i  <  p0-5  —  p°-5_e. 

Based  on  Theorem  3,  we  present  Algorithm  4.  Before  stating  the  step  by  step  algorithm,  we  discuss  the  following 
few  issues.  Let  us  consider  a  prime  p  and  some  l.  It  is  clear  that  we  can  immediately  calculate  n  =  [v^pJ  ■  Now  to 
get  a  solution  using  Theorem  3,  one  needs  lp  +  pe  >  M,  where  M  =  n2(n  +  i),  i  =  1,  2, 3  or  M  =  (n  +  l)3.  Thus 
Ip  must  be  greater  than  M  —  pe.  That  is  why  the  requirement  is  M  —  pf  <  Ip  <  M. 

Now  we  need  to  check  whether  there  exists  any  l  for  which  this  is  possible.  So  we  calculate  l  =  |_^f  J,  and  so. 
Ip  <  M  <  (l  +  1  )p.  Given  this  l,  we  calculate  the  maximum  e  in  the  range  0  <  e  <  |  such  that  l  <  p°-5~3e  —  pe_1. 
There  are  various  ways  to  calculate  such  an  e.  For  instance,  labeling  A  =  ^/p,  X  =  p£,  we  can  solve  for  X  satisfying 
the  inequality  A3X4  —  IA2X  —  1  >  0.  (We  can  also  use  the  next  alternative  approach:  since  e—  1  <  0  and  0.5  — 3e  >  0, 
then  the  termp°  '5_3e  will  dominate  pe_1  and  so,  for  p  sufficiently  large,  we  can  only  solve  the  inequality  l  <  p0  '5  3e, 
instead,  which  will  give  pe  =  y/p0  5/l.)  For  that  maximum  e,  if  Ip  +  pe  becomes  greater  than  M,  then  we  get  a  valid 
solution.  Thus,  we  do  not  need  to  check  all  integer  l  in  the  range  0  <  l  <  p°-5_3e  —  pe_1,  but  we  can  only  check 
the  values  of  l  as  l  =  [—  j ,  for  i  =  1,  2,  3  and  l  =  j  in  the  prescribed  range.  Also  it  is  clear  that  as  we 

increase  l.  the  value  of  e  becomes  smaller.  Thus  the  expectation  of  getting  a  solution  decreases  as  l  is  increased.  Based 
on  this  we  present  the  following  algorithm. 


Algorithm  4 


I 

s 

II 

W 

II 

II 

l  =  1;  Mi  =  n2(n  +  1);  M2  =  n2{n  +  2);  M3  =  n2(n  +  3);  M4  =  n3; 

III 

while!/  <  u){ 

Ilia 

zi  =  n  +  1;  Z2  =  n  +  2;  z3  =  n  +  3;  Z4  =  n; 

Illb 

for  (i  =  1, 2, 3, 4){ 

IIIb(i) 

nib(  a ) 

Calculate  e  such  that  l  =  |_p0"5  3e  —  pe  ;  g  =  [pe J ; 

Illb(iii) 

if  (Mi  -Ip)  <  g 

report  v  =  n,  z  =  Zi,  x  =  v2z  %p,  y  =  v3z  %p  and  terminate; 

IIIc 

} 

Hid 

n  =  n  +  1; 

IV 

} 

V 

Report  no  solution  of  this  form. 

Now  it  is  important  to  analyze  what  proportion  of  primes  are  covered  by  Algorithm  4.  We  only  take  the  case  when 
l  =  1  which  gives  a  lower  bound  on  the  number  of  primes  that  are  being  covered  by  this  algorithm  and  the  algorithm 
will  stop  just  after  the  first  iteration.  That  is,  for  these  primes,  we  have  a  constant  time  algorithm.  For  l  =  1,  e  =  p. 
Thus  if  we  have  M  —  pi  <  p  <  M,  then  there  is  a  valid  solution  of  CSC  for  the  prime  p.  We  can  take  p  ss  n3 .  The 
range  between  n3  and  (n  +  l)3  is  3 n2  +  3n  +  1.  In  this  range  p  can  have  the  value  in  the  range  M  —  pe  <  p  <  M, 
where  M  =  n2(n  +  i),  i  =  1, 2, 3  or  M  =  (n  +  l)3  to  have  a  solution  by  Algorithm  4  in  one  step.  Thus  there 
are  4  different  regions,  each  of  length  pe ,  where  we  get  a  one  step  solution  using  Algorithm  4.  Thus  in  the  range  of 
3 n2  +  3n  +  1  integers,  we  are  interested  in  the  4  intervals  containing  4 pe  ss  4 n2  many  integers  in  total.  Now  we 

,  where  the  Mfs  are  as 

described  in  step  II  of  Algorithm  4.  Taking  N  ss  n3  ss  M. we  can  approximate  this  by  4  - N~n2 T 


can  approximate  the  number  of  primes  in  these  intervals  by  JT=1 


Mi 


Mi-n 2 


lo8  Mi  log  (Mi— ni) 


N 

log  N 


N—n  2 
log  N 


log  N 


;  A  "  2 
^log(n+l)3 


4  n  2 
3  log  n  ’ 


Similarly  one  can  look  at  the  interval  between  (n  —  l)3  and  n3 .  Thus  one  can  approximate  the  total  number  of 

n  i  jyj  .1 

such  primes  up  to  (n  +  l)3  by  ^"=2  lipry  ~  Sj=2  llofy-  summarize  the  previous  analysis  in  the  following 
corollary. 


Corollary  3  There  are  approximately  l,  many  primes  p  <  N  for  which  we  get  a  valid  solution  of  CSC  in 

one  step  by  using  Algorithm  4. 


To  further  motivate  our  sieving  approach,  we  now  attempt  to  find  some  necessary  conditions  on  primes  p  which 
fail  Reyneri’s  sieve,  but  pass  ours.  From  its  construction,  a  prime  p  will  pass  Reyneri’s  sieve  when  x3  —  p  <  p5 ,  where 
x  -  [  ifp] .  On  the  other  hand,  a  prime  p  will  pass  our  sieve  if  there  is  some  l,  satisfying  the  conditions  of  Theorem  3. 

We  first  discuss  the  case  with  l  =  1.  Given  some  n,  we  concentrate  on  the  interval  of  integers  from  n3  to  (n  +  l)3. 
Take  the  cases  when  (1)  (n  +  l)3  —  pe  <  p  <  (n  +  l)3  or  (2)  n2(n  +  3)  —  pe  <  p  <  n2(n  +  3).  In  these  two  cases, 
considering  n  «  p2 ,  one  can  see  the  following  solution  using  Reyneri’s  sieve.  Take  x  =  [ [T  ] ,  z  =  x3  —  p  and  y  =  1. 
In  these  two  cases,  x3  =  (n  +  l)3  and  hence  z  =  x3  —  p  <  x3  —  n2(n  +  3)  +  p®  =  3n  +  1  +  pe  <  p? ,  Thus  one 
can  get  a  solution  with  x,y,z  <  p2 .  However,  note  that  the  solutions  we  get  using  Algorithm  4  are  different  from  the 
ones  using  Reyneri’s  sieve,  since  y  cannot  be  1  in  our  cases,  as  y  >  x,  in  fact  a  multiple  of  x. 


Now  consider  the  other  two  cases  when  (3)  n2(n+2)—pe  <p<  n2(n+2)  or(4)  n2(n+l)  —  pe  <p<  n2(n+ 1). 
In  these  two  cases,  z  =  x3  —  p  >  x3  —  n2(n  +  2)  =  3 n2  +  3n  +  1  >  p? .  Thus  these  primes  have  solution  for  CSC 
with  our  sieving  method,  but  not  by  Reyneri’s  sieving. 

As  an  experimental  result,  we  tried  with  n  =  100000  and  found  16  primes  as  in  the  cases  (1),  (2)  which  pass 
Reyneri’s  sieve  and  18  primes  as  in  the  cases  (3),  (4)  which  do  not  pass  Reyneri’s  sieve. 

The  cases  considering  l  >  1  are  not  simple  to  analyze  and  need  further  investigation.  However,  we  have  experi¬ 
mented  with  a  few  cases  and  the  results  show  that  the  primes  do  not  pass  the  Reyneri’s  sieve.  As  example,  we  tried 
with  n  =  100000.  For  2  <  /  <9,  we  got  the  solutions  for  30  primes  according  to  Theorem  3  and  none  of  them  can  be 
approached  by  Reyneri’s  sieve. 

Now  we  extend  slightly  the  notion  of  valid  solution  to  CSC  to  include  all  solutions  satisfying  x,y,z  =  ()(p~ )  (in 
our  previous  definition  the  constant  understood  was  1). 

Theorem  4  Let  pbe  a  prime.  Assume  that  there  exist  integers  a,  b  with  c\ pi  <  a  <  C2P°'5~e  (for  some  fixed  constants 
ci  >  C2/  due  to  the  reason  c\pe  <  C2P^~e,  0  <  e  <  |  —  logp (ff))  and  b  >  ^  such  that  Ip  <  a2b  <  Ip  +  pe,  for 
some  1  <  l  <  C3 pi.  Then  there  is  a  valid  solution  of  CSC  with  v  =  a,  z  =  b. 

Proof  :  Take  v  =  a,  z  =  b.  It  can  be  checked  that  a;3  =  y2z  mod  p  and  x3  y2z.  Since  Ip  <  a2b  <  Ip  +  pe  and 
x  =  a2b  mod  p,  it  follows  that  x  =  a2b%p  <  pe  <  pe .  Similarly,  using  alp  <  a3b  <  alp  +  ape  and  y  =  a3b  mod  p, 
we  gather  that  y  =  a3b%p  <  ape  <  C2P^~epe  =  C2P^~e.  Furthermore,  z  =  b  <  -§■  +  H — < 

a  a  c\pZ 

pi  +  1  <  +  l^j  pi .  Therefore,  x,  y,  z  are  all  0(pi )  and  they  are  solutions  to  CSC. 

Clearly  the  result  of  Theorem  4  covers  a  lot  more  primes  than  Theorem  3.  However,  it  is  not  clear  how  to  write  an 
algorithm  to  get  l  very  fast  when  the  results  of  Theorem  3  or  Theorem  4  are  applied.  Algorithm  4  works  efficiently  (in 
fact  in  constant  time)  when  one  gets  a  solution  for  low  values  of  l  (bounded  by  a  constant),  however  as  l  increases,  the 
complexity  of  the  algorithm  increases. 

5  Conclusion 

In  this  paper  we  identify  some  subsets  of  the  set  of  primes  where  the  Cubic  Sieve  Congruence  problem  can  be  solved 
very  fast.  The  solutions  to  this  problem  help  in  solving  the  Discrete  Log  Problem  (DLP)  by  index  calculus  method. 
Thus  we  could  identify  some  subclasses  of  primes  which  should  not  be  used  in  the  design  of  cryptosystems  where  the 
hardness  of  DLP  provides  the  security.  Apart  from  a  cryptographic  interest,  this  problem  is  motivating  by  itself  from  a 
number  theoretic  point  of  view.  We  could  only  provide  partial  solutions  to  this  problem.  Solving  it  completely  seems 
to  be  an  extremely  challenging  task.  Thus,  getting  some  more  partial  solutions  to  this  problem  presents  an  important 
research  direction. 
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